3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 21:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
Size

2.7MB
MD5

3e47c0603d252dc9a1aa6f91f93ce76b
SHA1

87bfee4fd12ef2836b378bd593d427d4c41d5b34
SHA256

3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b
SHA512

0f798179166f7066e1afe103bbba86bb020aafb71f64bb109e193e1f41d2766dea14735b54929808db99210fef732df860e1c57e151b25bfb7178e4b068bb464
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBw9w4S+:+R0pI/IQlUoMPdmpSpO4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5028	xoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIV\\xoptiec.exe"	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUH\\optidevsys.exe"	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
5028	xoptiec.exe
5028	xoptiec.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 5028	2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe	85
PID 2516 wrote to memory of 5028	2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe	85
PID 2516 wrote to memory of 5028	2516	3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe	85

C:\Users\Admin\AppData\Local\Temp\3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe
"C:\Users\Admin\AppData\Local\Temp\3ce8b80d7dec881f48e6295bdf769d17e37b47cccdeeaa5f6349935e18d37b9b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516
- C:\SysDrvIV\xoptiec.exe
  C:\SysDrvIV\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvIV\xoptiec.exe

Filesize
2.7MB

MD5
9ea3bc6136dd26eb51bd79a9c0b78478

SHA1
e1ed9383794e1d8616c4625855c105f2b206566a

SHA256
f38affbbf20da65d4b8a48d5d26f72807b6b565c1e697230b677b36e556be05f

SHA512
2daef945e800c038dd8dbd9ff2c0897100f433f65d7d162eec8fd23492d5933ae5ff7f7b02692311e8df7c6e9c327378c60fb82a1287167e4298575824874760

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
b9ce7c0098d3a878c8013c5d6a2f5ef1

SHA1
ce72f00612fe970dc5bd4f45b4316595a8c4d352

SHA256
d1cd3bba66a3bd3ecc002011ac2f5387dc0da3b013b7494dce3864412b0c421e

SHA512
179bca563a4ef18cb159c6eef7c31138f108d3ea792464b2cfdc65c0c136d42fd58ea4ff04498698bfe5801f4107156c7cb66b7f7adb5b80ec4418f768fc2dea

Download Submit
C:\VidUH\optidevsys.exe

Filesize
30KB

MD5
7b1ee9220245f2acec5ed82c7ebcf83d

SHA1
1d93debf0d2e625375a56c315ad5990c9ee68a44

SHA256
9a1e0100a9b26737a1781decd194770ef6789199be65b5c3798f5827831c5c62

SHA512
39168e42524638d5135e3a9fb497be36503e285386462fba3839432a1b2bf00a7a1d2004ea88c9296bf5664cc6059375d180eb0c7042a3551f005b0d1cf003ba

Download Submit
C:\VidUH\optidevsys.exe

Filesize
2.7MB

MD5
13c2620604bcf88d9df169a1848dd185

SHA1
0d279d064d72ee72cd14a4118df529b2d29cc9f3

SHA256
ec38ef1fcdf9e0da9dc66cdcbc34989f1ad1b0e139bf661b609b08282fddc8e2

SHA512
939a5a63506ce5e5afa313deab13bab5ef8518ab0c5eec06966f15a7490ab95042765981d445a6dfc55be0c52b255a9b6822e7c1b286df884ce6b3688e60e252

Download Submit